ENGIE is a DimoMaint CMMS customer. As the organisation needed to be mobile, it was useful for its technicians to be able to access the application on their mobile phones. Security issues in terms of mobility are becoming increasingly important for large groups in general. They could no longer install the solution themselves at Engie. As a result, DimoMaint’s teams made sure they met these new requirements.
Avoiding side loading on Android
Historically, the person in charge of the functional scope sent a download link to the technicians, for example. Android has developed the management of its devices for the corporate world through a Mobile Device Management (MDM) solution.
This has led ENGIE to develop various security policies to prevent ‘side loading’, i.e. installing the application on a device (such as a work smartphone) directly via a PC and a USB connection.
This approach can potentially be a vector for threats.
What was blocked was not the installation of the DimoMaint application, but the fact that, potentially, through a connection between the phone and the PC, from the PC or even from the phone, it could infect either of them.
The device is now enrolled in an MDM solution to prevent the installation of malicious applications on business phones. Nor is it possible to retrieve the application from the DimoMaint website and install it.
The role of Google Play
The second security restriction put in place by ENGIE involved activating an existing feature in Android that prohibits the installation of applications other than those from the public Android Google Play. Gilles Atlan explains:
The DimoMaint App has now been integrated into the non-public Google Play for businesses linked to ENGIE.
ENGIE took advantage of this technological breakthrough on Google to switch from Android Legacy, the old way of managing devices, to a new process via an MDM solution, thereby strengthening its security.
Bringing shadow IT to light
The impact of this feature is to check all the applications installed on a restricted user base. Increasing the level of security has made it possible to bring shadow IT to light, i.e. to handle uses and control the associated publication processes.
The aim was not to block our users or prevent them from working, but above all to guard against the security risks associated with the ability to install applications of unknown origin, in particular the installation of applications from so-called alternative stores. ENGIE wants to protect itself against any risk of information theft, squatting, malware, etc.” explains Gilles Atlan.
Setting up the controlled deployment of DimoMaint
All applications installed locally, without going through central IT or the person who manages the entity or business unit, are reported:
We therefore identified client applications that ENGIE technicians on assignment might need to install in order to work. They now open tickets on the hotline. The business need at entity level is analysed. Then we approach the publisher – in other words DimoMaint – to fit the application into ENGIE’s use for the Android part. In this way, we ensure that it is published in our Google Play Enterprise.”
ENGIE and the DIMO teams have worked together to ensure that the business no longer manages its installation according to the needs and teams in place. DimoMaint has set up versioning management to ensure that when a version is available it can be published to ENGIE.
Same approach for the iOS world
The same applies to iOS, where side loading and alternative stores are blocked. DimoMaint used the ‘Unlisted apps’ method to publish the DimoMaint App on the public Apple Store without it being displayed, with the correct application version linked to the backend. DimoMaint has an Apple Enterprise contract to which an Apple Developer contract has been added which guarantees that the application is active and maintained and therefore traceable.
The MDM process gives DimoMaint full control over the availability of its mobile CMMS application to ENGIE technicians and guarantees an optimum level of security,” concludes Gilles Atlan.
